RE: SA DKIM related bug 6462 - Possibly Gmail, Sendmail and/or Thunderbird related? from Murray S. Kucherawy on 2011-12-15 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Thu, 15 Dec 2011 16:29:21 -0800

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Kevin A. McGrail
> Sent: Thursday, December 15, 2011 4:17 PM
> To: SM
> Cc: Axb; opendkim-users_at_lists.opendkim.org
> Subject: Re: SA DKIM related bug 6462 - Possibly Gmail, Sendmail and/or Thunderbird related?
>
> This definitely shows that the case used in the Received header is re-
> injected by either procmail or Sendmail changing the case on the
> original To header because the header I wrote is clearly overridden.

I think only specific header fields are rewritten by Sendmail, i.e. those that are likely to be seen by users. The rewrites include making the field RFC-compliant in terms of quoting, but might also do something like make sure the domain part of the To: is the same as whatever came back from the DNS. However, I'm pretty sure Received is not on that header field list (or perhaps it's marked as a "trace field" and thus passed up for modification). The unfortunate thing is that all of the header field modification Sendmail does, much of which is correct and/or useful, happens after the milter interface has been applied, so the DKIM signing filter sees the unmodified copy, which is different from what goes out over the wire, which in turn means the signature won't validate.

OpenDKIM has features to compensate for this, specifically for this reason.

> This behavior subsequently breaks DKIM's ability to check a signature
> because of the change on the To: header based on my testing with Gmail.
> And I do understand this is not a bug in DKIM unless for the To: Header
> is not supposed to be used or case-sensitivity is not supposed to
> involved. But I think this is a large issue that likely points to a
> major problem with big players in the DKIM arena.

If you are concerned about this and only this (i.e., not other potential signature-breaking rewrites), you could use "relaxed" canonicalization on the header when applying DKIM signatures, which folds it all to lowercase before processing anyway. But that's not enough for things like sendmail's "masquerade" or "genericstable" features, which can make much more drastic changes.

-MSK
Received on Fri Dec 16 2011 - 00:29:29 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:22 PST